b'         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nQuick Reaction Report\n\n\n\n\n       Results of Technical Network\n       Vulnerability Assessment:\n       EPA\xe2\x80\x99s Region 4\n       Report No. 10-P-0213\n\n       September 7, 2010\n\x0cReport Contributors:   Rudolph M. Brevard\n                       Charles Dade\n                       Cheryl Reid\n                       Michael Goode, Jr.\n                       Vincent Campbell\n\x0c                       U.S. Environmental Protection Agency \t                                              10-P-0213\n                                                                                                    September 7, 2010\n                       Office of Inspector General\n\n\n                       At a Glance\n\n                                                                           Catalyst for Improving the Environment\n\n\nWhy We Did This Review           Results of Technical Network Vulnerability\nAs part of the annual audit of\n                                 Assessment: EPA\xe2\x80\x99s Region 4\nthe U.S. Environmental\nProtection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s)       What We Found\ncompliance with the Federal\nInformation Security             Vulnerability testing of EPA\xe2\x80\x99s Region 4 network conducted in June 2010\nManagement Act, the Office       identified Internet Protocol addresses with numerous high-risk and medium-risk\nof Inspector General (OIG)       vulnerabilities. The OIG met with EPA information security personnel to discuss\nconducted network                the findings. If not resolved, these vulnerabilities could expose EPA\xe2\x80\x99s assets to\nvulnerability testing of the     unauthorized access and potentially harm the Agency\xe2\x80\x99s network.\nAgency\xe2\x80\x99s network devices in\nEPA\xe2\x80\x99s Region 4 building           What We Recommend\nlocated in Atlanta, Georgia.\n                                 We recommend that the Chief, Environmental Information Solutions Branch,\nBackground                       Office of Policy Management, Region 4:\nNetwork vulnerability testing    \xe2\x80\xa2\t Provide the OIG a status update for all identified high-risk and medium-risk\nwas conducted to identify any       vulnerability findings contained in this report.\nnetwork risk vulnerabilities\nand to present the results to    \xe2\x80\xa2\t Create plans of action and milestones in the Agency\xe2\x80\x99s Automated Security\nthe appropriate EPA officials,      Self-Evaluation and Remediation Tracking system for all vulnerabilities that\nwho can then promptly               cannot be corrected within 30 days of this report.\nremediate or document            \xe2\x80\xa2\t Perform a technical vulnerability assessment test of assigned network\nplanned actions to resolve the      resources within 60 days to confirm completion of remediation activities.\nvulnerability.\n                                 Due to the sensitive nature of the report\xe2\x80\x99s technical findings, the attachment will\n                                 not be available to the public.\nFor further information,\ncontact our Office of\nCongressional, Public Affairs\nand Management at\n(202) 566-2391.\n\nTo view the full report,\nclick on the following link:\nwww.epa.gov/oig/reports/2010/\n20100907-10-P-0213.pdf\n\x0c                          UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                       WASHINGTON, D.C. 20460\n\n\n                                                                                              THE INSPECTOR GENERAL\n\n\n\n\n                                               September 7, 2010\n\nMEMORANDUM\n\nSUBJECT:                   Results of Technical Network\n                           Vulnerability Assessment: EPA\xe2\x80\x99s Region 4\n                           Report No. 10-P-0213\n\n\nFROM:                      Arthur A. Elkins, Jr.\n                           Inspector General\n\nTO:                        Keith Mills\n                           Chief, Environmental Information Solutions Branch\n                           Office of Policy Management\n                           Region 4\n\n\nAttached is the final technical network vulnerability assessment report prepared by the Office of\nInspector General (OIG) of the U.S. Environmental Protection Agency (EPA).1 The site\nassessment was conducted in conjunction with the Fiscal Year 2010 Federal Information\nSecurity Management Act audit. Vulnerability testing of EPA\xe2\x80\x99s Region 4 network conducted in\nJune 2010 identified Internet Protocol addresses with numerous high-risk and medium-risk\nvulnerabilities.\n\nWe performed this audit from May through August 2010 at EPA\xe2\x80\x99s Region 4 offices in Atlanta,\nGeorgia. We performed this audit in accordance with generally accepted government auditing\nstandards. These standards require that we plan and perform the audit to obtain sufficient and\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on the\naudit objectives. We believe the evidence obtained provides a reasonable basis for our findings\nand conclusions.\n\nWe conducted testing to identify the existence of commonly known vulnerabilities using a\ncommercially available network vulnerability assessment tool recognized by the National\nInstitute of Standards and Technology. We tested the Internet Protocol addresses associated with\nnetwork resources controlled by your office. We used the risk ratings provided by the\n\n1\n A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the\nvulnerabilities in a tested information system. A vulnerability assessment does not include a penetration test which\nwould attempt to use the identified vulnerabilities to gain further access into the tested information system.\n\n\n                                                          1\n\n\x0c                                                                                         10-P-0213 \n\n\n\nvulnerability software to determine the level of harm a vulnerability could cause to a network\nresource. We accepted the results from the software tool. The vulnerabilities identified by the\nsoftware are disclosed in the attachment. We provided the complete details of our testing results\nto Agency representatives.\n\nThe estimated cost for performing these tests and compiling this report is $3,459.\n\nRecommendations\n\nWe recommend that the Chief, Environmental Information Solutions Branch, Office of Policy\nManagement, Region 4:\n\n   1.\t Provide the OIG a status update for all identified high-risk and medium-risk vulnerability\n       findings contained in this report.\n\n   2.\t Create plans of action and milestones in the Agency\xe2\x80\x99s Automated Security Self-\n\n       Evaluation and Remediation Tracking system for all vulnerabilities that cannot be \n\n       corrected within 30 days of this report. \n\n\n   3.\t Perform a technical vulnerability assessment test of assigned network resources within\n       60 days to confirm completion of remediation activities.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 30 calendar days. You should include a corrective actions plan for agreed-upon\nactions, including milestone dates.\n\nDue to the sensitive nature of the report\xe2\x80\x99s technical findings, the full report will not be made\navailable to the public. However, the OIG plans to publish the unrestricted version of this report,\nyour response, and any corrective action plans on OIG\xe2\x80\x99s Website, which is available to the\npublic. Therefore, we request that you provide your response to Recommendation 1 in a separate\ndocument.\n\nIf you or your staff have any questions regarding this report, please contact Rudy Brevard at\n(202) 566-0893 or brevard.rudy@epa.gov.\n\n\n\n\n                                                2\n\n\x0c                                                                                                                                        10-P-0213\n\n\n\n                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n\n                                                                                                                              POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                            BENEFITS (in $000s)\n\n                                                                                                                  Planned\n    Rec.    Page                                                                                                 Completion   Claimed    Agreed To\n    No.      No.                          Subject                          Status1        Action Official           Date      Amount      Amount\n\n     1        2     Provide the OIG a status update for all identified       U         Chief, Environmental\n                    high-risk and medium-risk vulnerability findings                   Information Solutions\n                    contained in this report.                                         Branch, Office of Policy\n                                                                                      Management, Region 4\n\n     2        2     Create plans of action and milestones in the             U         Chief, Environmental\n                    Agency\xe2\x80\x99s Automated Security Self-Evaluation and                    Information Solutions\n                    Remediation Tracking system for all vulnerabilities               Branch, Office of Policy\n                    that cannot be corrected within 30 days of this                   Management, Region 4\n                    report.\n\n     3        2     Perform a technical vulnerability assessment test of     U         Chief, Environmental\n                    assigned network resources within 60 days to                       Information Solutions\n                    confirm completion of remediation activities.                     Branch, Office of Policy\n                                                                                      Management, Region 4\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n\n                                                                                 3\n\n\x0c                                                                                     10-P-0213\n\n\n                                                                                 Appendix A\n\n                                      Distribution\n\nOffice of the Administrator\nAssistant Administrator of Environmental Information and Chief Information Officer\nRegional Administrator, Region 4\nChief, Environmental Information Solutions Branch, Office of Policy Management, Region 4\nActing Senior Agency Information Security Officer\nActing Director, Technology and Information Security Staff\nAgency Follow-up Official (the CFO)\nAgency Follow-up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nAudit Follow-up Coordinator, Region 4\nInspector General\n\n\n\n\n                                                4\n\n\x0c'